Menu
Ecommerce service exposed passports, ID details of users

Ecommerce service exposed passports, ID details of users

S3 bucket included details of individuals included in the Dow Jones Watchlist

Sensitive personal details of individuals, including whether they appeared on the Dow Jones Watchlist of risky individuals, were exposed by a publicly accessible Amazon Web Services S3 bucket.

The documents in the S3 bucket, which was locked down earlier this week, were associated with the New Zealand operation of ecommerce service Cloud Union. Cloud Union, which originally launched in China, operates a plug-in loyalty service for its merchant clients. Consumers can sign up to the service and earn redeemable reward points across participating merchants.

The service has a presence in a number of markets outside China, including AustraliaMalaysiaSouth Korea, Taiwan and the United States.

The S3 bucket housed dozens of scanned or photographed passports as well as electronic identification verification (EIV) checks.

EIV checks conducted through Verifi include a range of sensitive information including the relevant individual's name and address, date of birth, NZ driver’s licence number, and whether the ID details match those held by the NZ Transport Agency and Centrix.

In addition Verifi reports include a list of individuals who appear the Dow Jones Watchlist that may match the subject individual, including indicators of risk (such as being a PEP or having been subject to adverse criminal or civil legal actions).

The S3 bucket appeared to have been created as part of a test.

Cloud Union did not respond to a request for comment.

The bucket was locked down shortly after CERT NZ and the company were alerted to the breach.

Unlike Australia, New Zealand does not yet have any form of mandatory data breach notification scheme, although a new Privacy Bill that would introduce a notification regime is currently being considered.

Australia’s mandatory breach notification scheme took effect in February 2018. In the first four full quarters of the scheme, the OAIC received notifications of 964 breaches, with 60 per cent related to criminal or malicious acts.

Open S3 buckets have been linked to a number of high-profile data breaches.

Last month Australian training company MEGT confirmed that a service provider it had engaged had left student information in an unsecured bucket. The data included identification details, educational data, transaction data, health data and passport and visa details.

ASX-listed property valuation firm LandMark White saw a significant drop in revenue after some its major clients suspended their use of its services following an S3-linked data breach.

Around 100 million people in the US and 6 million in Canada have been affected by the Capital One breach, which involved data stored on S3. However, in that case the breach has been attributed to a misconfigured web application firewall rather than a publicly accessible bucket.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags cyber securitydata breaches

Featured

Slideshows

Reseller News Platinum Club celebrates leading partners in 2019

Reseller News Platinum Club celebrates leading partners in 2019

The leading players of the New Zealand channel came together to celebrate a year of achievement at the annual Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months.

Reseller News Platinum Club celebrates leading partners in 2019
Reseller News hosts alumnae breakfast for Women in ICT Awards

Reseller News hosts alumnae breakfast for Women in ICT Awards

Reseller News hosted its second annual alumnae breakfast for the Women in ICT Awards in New Zealand, designed to showcase the leading female leaders in the industry. Held at The Cordis in Auckland, attendees came together to hear inspiring keynotes and panel discussions, alongside high-level networking among peers. Photos by Gino Demeer.

Reseller News hosts alumnae breakfast for Women in ICT Awards
Reseller News Innovation Awards 2019: meet the winners

Reseller News Innovation Awards 2019: meet the winners

Reseller News honoured the standout players of the New Zealand channel in front of more than 480 technology leaders in Auckland on 23 October, recognising the achievements of top partners, emerging entrants and innovative start-ups.

Reseller News Innovation Awards 2019: meet the winners
Show Comments